Network services are deployed to provide various types of functionality to enable both local and remote users to employ resources on a particular client (client may refer to any computing system, server, client, or computer). However, network services can also be a primary point of vulnerability that attackers can use to exploit and compromise a system. One of the primary security problems with deploying network services is that in order to be functional, a service running on a client is externally exposed. That is, network services on a client can be accessed by remote hosts or users via an external communications port on the local client. This external exposure can also be exploited for the purposes of an attack or hack.
While many network services have mechanisms for access control, these mechanisms still require that at least some initial traffic be processed in order to make an access control judgment. Conventional authentication techniques still provide an opportunity for an unauthenticated client or attacker to access a client. For example, if authentication is performed by restricting access to a list of authorized IP addresses, an initial packet must still be received and decoded in order to determine a source or destination IP address. Other forms of authentication may require processing several packets, thus providing a window for an attacker to gain illegitimate access to a client. For example, numerous buffer overflow applications can exploit these windows to gain access to control systems (e.g. imapex2 authentication buffer overflow). Even without a response packet from the target client, the attacker knows that a service or set of services is exposed and can be attacked. Many attackers begin by probing or scanning for systems and services. Once they locate a service, they attempt to identify it and then use that information to launch an actual attack. Conventional solutions to these problems are limited in terms of either granularity or overhead.
Thus, there is a need for a solution that allows remote and secure access to private network services while preventing unauthenticated access.